From: Ted Ts'o <tytso@mit.edu>
To: Junio C Hamano <gitster@pobox.com>
Cc: "Jeff King" <peff@peff.net>,
"Joseph Parmelee" <jparmele@wildbear.com>,
"Carlos Martín Nieto" <cmn@elego.de>,
"Olsen, Alan R" <alan.r.olsen@intel.com>,
"Michael Witten" <mfwitten@gmail.com>,
"git@vger.kernel.org" <git@vger.kernel.org>
Subject: Re: Lack of detached signatures
Date: Thu, 29 Sep 2011 09:18:45 -0400 [thread overview]
Message-ID: <20110929131845.GQ19250@thunk.org> (raw)
In-Reply-To: <7vbou4uhuu.fsf@alter.siamese.dyndns.org>
On Wed, Sep 28, 2011 at 08:50:49PM -0700, Junio C Hamano wrote:
>
> I was actually more worried about helping consumers convince themselves
> that thusly signed keys indeed belong to producers like Linus, Peter,
> etc. There are those who worry that DNS record to code.google.com/ for
> them may point at an evil place to give them rogue download material.
> "Here are the keys you can verify our trees with" message on the mailing
> list, even with the message is signed with GPG, would not be satisfactory
> to them.
What do you mean by "consumers" in this context? Most end users don't
actually download tarballs from www.kernel.org or code.google.com! :-)
If you mean developers at Linux distributions Red Hat, SuSE, or
Handset manufacturers such as Samsung, HTC, Motorola, etc., there will
be many of those reprsenatives at LinuxCon Europe and CELF (Consumer
Electronics Linux Forum) Europe conferences, which will be colocated
with the Kernel Summit in Prague.
If you are thinking of random developers located in far-flung places
of the world who don't have any contact with other Linux developers,
this is a previously unsolved problem. There are links into the
developing Kernel GPG tree that are signed by the GPG web trust used
by Debian, OpenSuSE, and (soon) Fedora. Given that people generally
have to trust one or more of those web of trusts, that's the best we
can do, at least as far as I know. If you can suggest something
better, please let me know!
- Ted
next prev parent reply other threads:[~2011-09-29 13:19 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-27 23:48 Lack of detached signatures Joseph Parmelee
2011-09-28 0:03 ` Junio C Hamano
2011-09-28 0:07 ` Michael Witten
2011-09-28 4:17 ` Olsen, Alan R
2011-09-28 7:41 ` Carlos Martín Nieto
2011-09-28 12:36 ` Joseph Parmelee
2011-09-28 16:45 ` Junio C Hamano
2011-09-28 16:55 ` Michael Witten
2011-09-28 16:59 ` Matthieu Moy
2011-09-28 22:25 ` Jeff King
2011-09-28 23:09 ` Ted Ts'o
2011-09-29 0:28 ` Junio C Hamano
2011-09-29 1:59 ` Ted Ts'o
2011-09-29 3:50 ` Junio C Hamano
2011-09-29 13:18 ` Ted Ts'o [this message]
2011-09-29 14:40 ` Sverre Rabbelier
2011-09-29 14:50 ` Ted Ts'o
2011-09-29 14:52 ` Sverre Rabbelier
2011-09-29 16:47 ` Joseph Parmelee
2011-09-29 1:29 ` Joseph Parmelee
2011-09-29 1:41 ` Jeff King
2011-09-29 20:31 ` Olsen, Alan R
2011-09-28 22:40 ` Joseph Parmelee
2011-09-28 17:03 ` Ben Walton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110929131845.GQ19250@thunk.org \
--to=tytso@mit.edu \
--cc=alan.r.olsen@intel.com \
--cc=cmn@elego.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jparmele@wildbear.com \
--cc=mfwitten@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).